DC Circuit Reinstates Cyberbreach Claim Against CareFirst, Outlines Standing Requirements

DC Circuit Reinstates Cyberbreach Claim Against CareFirst, Outlines Standing Requirements

The U.S. Court of Appeals for the District of Columbia  Circuit has reversed dismissal of a putative class action brought against health insurer CareFirst, Inc. in connection with a 2014 cyberattack. The District Court had dismissed the case on the grounds that the plaintiff CareFirst customers had “not demonstrated a sufficiently substantial risk of future harm stemming from the breach” and therefore lacked standing. The D.C. Circuit disagreed, on multiple grounds.  First, the appeals court disagreed with the District Court’s conclusion that the complaint did not allege the theft of social security and credit card numbers; in fact, the complaint specifically alleged that the cyberattack gained access to “patient credit card . . . and social security numbers.”  With this information, the D.C. Circuit concluded that the plaintiffs faced a substantial risk of identity theft. Moreover, the D.C. Circuit noted that the complaint alleged the theft of subscriber ID numbers and other information that made a substantial risk of identify fraud – including “medical identity theft” and inaccurate medical record entries that could result in improper medical care, insurance ineligibility, or depleted health insurance. Finally, the D.C. Circuit dismissively rejected CareFirst’s argument that the plaintiffs’ injury was only “fairly traceable” to the data thief.  The court noted that “Article III standing does not require that the defendant be the most immediate cause, or even a proximate cause, of the plaintiffs’ injuries; it requires only that those injuries be ‘fairly traceable’ to the defendant” – which the plaintiffs adequately pleaded by alleging that CareFirst failed properly to secure patient data. [8/3/17]

Search